Changing from expiring cookies to session cookies.

Hi,
Here is my question. I have a website that has approximately 400 current users. Currently we use a cookie to store username and encrypted password information in the cookies that are stored on the users computers. Right now the cookies are set to expire in a year. Here is the code that sets the cookie when the user logs on to the website. The name is not specified, so the cookie name that is created is our web address.

The problem that we are running into is when we delete an account of a user that we no longer want on our website, they can access certain information that we don't want them to see because their cookie doesn’t expire for the next year. What I want to do is to create a session cookie when they logon to the site that is active during their browser session and then expires when the session is closed. I know that I can create a session cookie with the above logon code by deleting the expire date. What I want to do is still use the Sub routine get_cookies to check and see if the user is logged on or not. Is there a way to name the session cookie in the logon code and then check for the name in the get_cookies sub routine to see if the user is logged on or not? I have tried numerous times to name the cookie with no luck. This would be the quickest way to fix this problem for our website because the get_cookies sub routine is already in use on most of our website. The less that I have to change, the faster I can get this up and running. Time is off the essence and I am willing to award max points for a quick resolution to this issue. Thanks in advance for anyone that helps me with this issue.

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Why not just change the get_cookies (BTW, you are using the CGI module, so why hand code your own cookie routines?) to check if the user's account exists and if it doesn't, simply delete the cookie and deny the user access.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Hi Tintin,
Could you elaborate a little further on how I would do this with my existing code? I inherited this website that is entirely written in CGI and I am an ASP and JSP programmer. I have been making changes on it for about the past 4 months or so when I started working for my friends company. We really want to use session cookies instead of ones that are set on the users computer and expire at a later date. I don't really want to tear apart the website and changes a bunch of stuff. I know that my set cookie method works when I remove the expire date from the method as a session cookie. Can I actually name a session cookie when it is set? If so, I am not familiar with the syntax of doing that. Is it done in the CGI header? That way, I would just have to use the get_cookies sub routine to check and see if the session cookie with the name that I have specified in the set cookie routine is active in the users browser session. This would create the fastest way for us to lock down our site, which is what we are trying to do. We have so many users that we don't want on our site that can access information because of the old cookies that we just want to do this totally differently. So I guess what I would like to do is use the existing set cookie routine and name the cookie without an expiration date to make it die when the browser session is terminated, and then use the existing get_cookies sub routine to make sure that they have an active session cookie in their browser session. My biggest problem is not knowing how to set the name of the cookie and then using the get_cookies sub routine to check for the named session cookie. Any shot at this would be greatly appreciated.
Thanks again for all your help.

jimr100Commented: 2004-10-14

Tintin's suggestion is a good one. For one thing, if you go to solely session variables, you can't have a "Remember me" function. Also, his suggested solution does not require large code changes. What he is saying is that you should not simple accept the existence of a cookie as evidence that a logon is permitted. You logic should be "if a cookie exists, I will take the username from that cookie, and look it up in the database. If the username has a valid account associated with it, I will permit them access. If the username does not have a valid account associated with it, I will deny them access, and I will wipe the cookie just so I don't even need to check next time this person shows up (though the cookie wiping isn't really needed strictly speaking)."

But, assuming that you do not want to do that, to more directly answer your question: Why not just add another name/value pair to the current code. So, in addition to setting username, password, and bsignedup, set 'new_logged_in' or whatever you want to call it, and then have sub get_cookies (or actually whatever comes subesequent to it) base it's logic on the new variable instead of the old one. I note that sub get_cookies isn't really what is doing the validation -- it is just getting the cookie and splitting into name/value pairs. If you want more input I think we need to see what is then done with those name/value pairs.

I'd suggest using CGI::Session. It has methods to get and set cookies, and methods for dealing with expiration not only of the cookie, but of the session as a whole, and of individual session values as well. CGI::Session data is usually kept in temp files, but it can store it in a number of different backends (I personally prefer to use files, since cleaning stale sessions is easiest).